Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add "Force SSL login" setting #1677

Closed
mattab opened this issue Sep 6, 2010 · 5 comments
Closed

Add "Force SSL login" setting #1677

mattab opened this issue Sep 6, 2010 · 5 comments
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Milestone

Comments

@mattab
Copy link
Member

mattab commented Sep 6, 2010

Piwik should work nicely when loaded in https (SSL).

It would be nice to have an option to force SSL login, so that login data is always sent encrypted.

Maybe we should, if possible, check that SSL actually works at all, to prevent non ssl compatible setups to set this to true which would then prevent logins.

Note: this is similar to wordpress wp-config hack FORCE_SSL_LOGIN

@robocoder
Copy link
Contributor

Propose also settings the Strict Transport Security header per the IETF draft.

@robocoder
Copy link
Contributor

FireSheep is making news. I think we can implement this for 1.1.

@robocoder
Copy link
Contributor

Strict Transport Security is a wontfix (out-of-scope):

  • in a reverse proxy, we may not be able to tell if the user is using http or not, so we can't blindly force a redirect
  • the sts field is only sent in the header of a https response; this doesn't allow for auto-discovery
  • the policy applies at the domain level (not url); piwik may not be the only app hosted on this domain/subdomain

@robocoder
Copy link
Contributor

(In [3266]) fixes #1677 - added General force_ssl_login setting to global.ini.php (defaults to 0, disabled); this applies to login, lost password, and reset password forms

I opted to implement this as a config file option (instead of via General Settings), as it ensures the sysadmin has file access to change the setting, in the event the secure login doesn't work (e.g., no virtual host listening to port 443).

There are two aspects to the patch in order to handle reverse proxies:

  • checkForceSslLogin() - performs a server-side redirect if the connection isn't secure
  • header.tpl - performs a client-side redirect if the connection isn't secure

@mattab
Copy link
Member Author

mattab commented Dec 23, 2010

added faq:

How do I force Piwik login to use SSL (https)?. Let me know if any feedback.

@mattab mattab added this to the Piwik 1.1 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement For new feature suggestions that enhance Matomo's capabilities or add a new report, new API etc. Major Indicates the severity or impact or benefit of an issue is much higher than normal but not critical.
Projects
None yet
Development

No branches or pull requests

2 participants